sharang/compliance-scanner-agent
1
0
Fork 0
Code Issues 51 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity

Fix formatting and clippy warnings across workspace
All checks were successful
CI / Format (push) Successful in 3s
Details
CI / Clippy (push) Successful in 2m15s
Details
CI / Security Audit (push) Successful in 1m34s
Details
CI / Tests (push) Successful in 3m4s
Details

Browse Source 
- Run cargo fmt on all crates
- Fix regex patterns using unsupported lookahead in patterns.rs
- Replace unwrap() calls with compile_regex() helper
- Fix never type fallback in GitHub tracker
- Fix redundant field name in findings page
- Allow enum_variant_names for Dioxus Route enum
- Fix &mut Vec -> &mut [T] clippy lint in sbom.rs
- Mark unused-but-intended APIs with #[allow(dead_code)]

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Sharang Parnerkar
2026-03-02 17:41:03 +01:00
parent 62196e5d74
commit 03ee69834d
37 changed files with 519 additions and 220 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
compliance-agent/src/pipeline/patterns.rs
View File

@@ -7,6 +7,15 @@ use regex::Regex;
use crate::pipeline::dedup;
fn compile_regex(pattern: &str) -> Regex {
Regex::new(pattern).unwrap_or_else(|e| {
tracing::warn!("Invalid regex pattern '{pattern}': {e}, using empty fallback");
// SAFETY: "^$" is a known-valid regex that matches only empty strings
#[allow(clippy::unwrap_used)]
Regex::new("^$").unwrap()
})
}
pub struct GdprPatternScanner {
patterns: Vec<PatternRule>,
}
@@ -31,7 +40,7 @@ impl GdprPatternScanner {
id: "gdpr-pii-logging".to_string(),
title: "PII data potentially logged".to_string(),
description: "Logging statements that may contain personally identifiable information (email, SSN, phone, IP address).".to_string(),
pattern: Regex::new(r#"(?i)(log|print|console\.|logger\.|tracing::)\s*[\.(].*\b(email|ssn|social.?security|phone.?number|ip.?addr|passport|date.?of.?birth|credit.?card)\b"#).unwrap_or_else(|_| Regex::new("^$").unwrap()),
pattern: compile_regex(r#"(?i)(log|print|console\.|logger\.|tracing::)\s*[\.(].*\b(email|ssn|social.?security|phone.?number|ip.?addr|passport|date.?of.?birth|credit.?card)\b"#),
severity: Severity::High,
file_extensions: vec!["rs", "py", "js", "ts", "java", "go", "rb"].into_iter().map(String::from).collect(),
},
@@ -39,7 +48,7 @@ impl GdprPatternScanner {
id: "gdpr-no-consent".to_string(),
title: "Data collection without apparent consent mechanism".to_string(),
description: "Data collection endpoint that doesn't reference consent or opt-in mechanisms.".to_string(),
pattern: Regex::new(r#"(?i)(collect|store|save|persist|record).*\b(personal|user.?data|pii|biometric)\b"#).unwrap_or_else(|_| Regex::new("^$").unwrap()),
pattern: compile_regex(r#"(?i)(collect|store|save|persist|record).*\b(personal|user.?data|pii|biometric)\b"#),
severity: Severity::Medium,
file_extensions: vec!["rs", "py", "js", "ts", "java", "go"].into_iter().map(String::from).collect(),
},
@@ -47,7 +56,7 @@ impl GdprPatternScanner {
id: "gdpr-no-delete-endpoint".to_string(),
title: "Missing data deletion capability".to_string(),
description: "User data models or controllers without corresponding deletion endpoints (right to erasure).".to_string(),
pattern: Regex::new(r#"(?i)(class|struct|model)\s+User(?!.*[Dd]elete)"#).unwrap_or_else(|_| Regex::new("^$").unwrap()),
pattern: compile_regex(r#"(?i)(class|struct|model)\s+User"#),
severity: Severity::Medium,
file_extensions: vec!["rs", "py", "js", "ts", "java", "go", "rb"].into_iter().map(String::from).collect(),
},
@@ -55,7 +64,7 @@ impl GdprPatternScanner {
id: "gdpr-hardcoded-retention".to_string(),
title: "Hardcoded data retention period".to_string(),
description: "Data retention periods should be configurable for GDPR compliance.".to_string(),
pattern: Regex::new(r#"(?i)(retention|ttl|expire|keep.?for)\s*[=:]\s*\d+"#).unwrap_or_else(|_| Regex::new("^$").unwrap()),
pattern: compile_regex(r#"(?i)(retention|ttl|expire|keep.?for)\s*[=:]\s*\d+"#),
severity: Severity::Low,
file_extensions: vec!["rs", "py", "js", "ts", "java", "go", "yaml", "yml", "toml", "json"].into_iter().map(String::from).collect(),
},
@@ -74,7 +83,13 @@ impl Scanner for GdprPatternScanner {
}
async fn scan(&self, repo_path: &Path, repo_id: &str) -> Result<ScanOutput, CoreError> {
let findings = scan_with_patterns(repo_path, repo_id, &self.patterns, ScanType::Gdpr, "gdpr-patterns")?;
let findings = scan_with_patterns(
repo_path,
repo_id,
&self.patterns,
ScanType::Gdpr,
"gdpr-patterns",
)?;
Ok(ScanOutput {
findings,
sbom_entries: Vec::new(),
@@ -89,7 +104,7 @@ impl OAuthPatternScanner {
id: "oauth-implicit-grant".to_string(),
title: "OAuth implicit grant flow detected".to_string(),
description: "Implicit grant flow is deprecated and insecure. Use authorization code flow with PKCE instead.".to_string(),
pattern: Regex::new(r#"(?i)(response_type\s*[=:]\s*["']?token|grant_type\s*[=:]\s*["']?implicit)"#).unwrap_or_else(|_| Regex::new("^$").unwrap()),
pattern: compile_regex(r#"(?i)(response_type\s*[=:]\s*["']?token|grant_type\s*[=:]\s*["']?implicit)"#),
severity: Severity::High,
file_extensions: vec!["rs", "py", "js", "ts", "java", "go", "yaml", "yml", "json"].into_iter().map(String::from).collect(),
},
@@ -97,7 +112,7 @@ impl OAuthPatternScanner {
id: "oauth-missing-pkce".to_string(),
title: "OAuth flow without PKCE".to_string(),
description: "Authorization code flow should use PKCE (code_challenge/code_verifier) for public clients.".to_string(),
pattern: Regex::new(r#"(?i)authorization.?code(?!.*code.?challenge)(?!.*pkce)"#).unwrap_or_else(|_| Regex::new("^$").unwrap()),
pattern: compile_regex(r#"(?i)authorization.?code"#),
severity: Severity::Medium,
file_extensions: vec!["rs", "py", "js", "ts", "java", "go"].into_iter().map(String::from).collect(),
},
@@ -105,7 +120,7 @@ impl OAuthPatternScanner {
id: "oauth-token-localstorage".to_string(),
title: "Token stored in localStorage".to_string(),
description: "Storing tokens in localStorage is vulnerable to XSS. Use httpOnly cookies or secure session storage.".to_string(),
pattern: Regex::new(r#"(?i)localStorage\.(set|get)Item\s*\(\s*["'].*token"#).unwrap_or_else(|_| Regex::new("^$").unwrap()),
pattern: compile_regex(r#"(?i)localStorage\.(set|get)Item\s*\(\s*["'].*token"#),
severity: Severity::High,
file_extensions: vec!["js", "ts", "jsx", "tsx"].into_iter().map(String::from).collect(),
},
@@ -113,7 +128,7 @@ impl OAuthPatternScanner {
id: "oauth-token-url".to_string(),
title: "Token passed in URL parameters".to_string(),
description: "Tokens in URLs can leak via referrer headers, server logs, and browser history.".to_string(),
pattern: Regex::new(r#"(?i)(access_token|bearer)\s*[=]\s*.*\b(url|query|param|href)\b"#).unwrap_or_else(|_| Regex::new("^$").unwrap()),
pattern: compile_regex(r#"(?i)(access_token|bearer)\s*[=]\s*.*\b(url|query|param|href)\b"#),
severity: Severity::High,
file_extensions: vec!["rs", "py", "js", "ts", "java", "go"].into_iter().map(String::from).collect(),
},
@@ -132,7 +147,13 @@ impl Scanner for OAuthPatternScanner {
}
async fn scan(&self, repo_path: &Path, repo_id: &str) -> Result<ScanOutput, CoreError> {
let findings = scan_with_patterns(repo_path, repo_id, &self.patterns, ScanType::OAuth, "oauth-patterns")?;
let findings = scan_with_patterns(
repo_path,
repo_id,
&self.patterns,
ScanType::OAuth,
"oauth-patterns",
)?;
Ok(ScanOutput {
findings,
sbom_entries: Vec::new(),
@@ -211,7 +232,16 @@ fn scan_with_patterns(
fn walkdir(path: &Path) -> Result<Vec<walkdir::DirEntry>, CoreError> {
// Simple recursive file walk, skipping hidden dirs and common non-source dirs
let skip_dirs = [".git", "node_modules", "target", "vendor", ".venv", "__pycache__", "dist", "build"];
let skip_dirs = [
".git",
"node_modules",
"target",
"vendor",
".venv",
"__pycache__",
"dist",
"build",
];
let entries: Vec<_> = walkdir::WalkDir::new(path)
.into_iter()